Changes to RACF Authorization Processing
Extensions have been introduced to RACF's processing of authorization r which boththe RACF identity of andthe thserverRACF identity of a client of server application are used in a resource access decision.
RACF support for OpenEdition DCE introduces new indicators in the ACEE. Th indicators mark the ACEE clientas a ACEE. Client ACEEs are created by OS/390 OpenEdition and RACF on behalf of multithreaded unauthorized application on OS/390.
Client ACEEs can | only be created through the OS/390 OpenEdition | |
pthread_security_np | callable servicepthread orsecurity_np() | C language |
function call. |
|
|
There are two types of client ACEEs:
ŸUnauthenticated client ACEE
When an | unauthenticated client | ACEE | is | used | in | an | access | control | de | ||||||
two | authorization | checks | occur. |
|
|
|
|
|
|
|
|
| |||
– | The | first check uses the client | ACEE. This | is | the ACEE | that | is | a | |||||||
| with the current task. If the request is successful, the sec | ||||||||||||||
| performed. |
|
|
|
|
|
|
|
|
|
|
|
|
| |
– | The | second check | uses | the | ACEE | associated | with | the | server. This | ||||||
| same | ACEE that | is | associated | with | the | application | server's | addre | ||||||
The automatic checking of both the client's identity and the serv performed for RACF resources defined to RACF via profiles and for OpenEdition resources, such as hierarchical file system files (HFS), access is governed by POSIX permission bits.
ŸAuthenticated client ACEE
When an authenticated client ACEE is used in an access control dec this ACEE is used in the access control decision. Audit records co additional relocate section, indicating that this authorization requ processed using an ACEE which was created on behalf of an unautho application.
An authenticated client ACEE is created when the client of the se application has supplied its RACF password (or RACF PassTicket) to th
application server. | The | application | server specifies | the client's RA | ||
(or RACF | PassTicket) | on | pthreadthe _security_np | OS/390 | OpenEdition | |
callable | service or | on | the pthreadC languagesecurity_np() | function | call. | |
Restrictions
The | security | administrator | must | be | aware | of the restrictions of the |
ACEE | support, | in which both | the | application | server's RACF identity and | |
RACF | identity | are used in | resolving | access | decisions. | |
ŸRACROUTE REQUEST=FASTAUTH processing has not been enhanced to automatically check both the server and client RACF identities.
Ideally, application servers on OS/390 do not have to run
Chapter 7. Administration Considerations41
